Posts
Under: EU

In May 2018, the new European Union (EU) privacy and data security regulations will take effect. These regulations, formally known as the General Data Protection Regulation (GDPR), will make many changes from current EU regulations. Even with Brexit, the UK plans to implement the Regulation as well. The challenges can seem daunting, and the stakes are potentially high as the regulators can impose fines for non-compliance as high as 4% of global revenue.

A piece in DigiDay yesterday draws attention to the fact that publishers are at risk under the draft ePrivacy Regulation under consideration in Brussels. At this time, the draft Regulation is in a state of flux, and the outcome is hard to know, with a possible tightening of the current requirements on cookies.
Under the current ePrivacy Directive, often referred to as the “Cookie Directive” publishers merely need to get consent, by having readers click a box that they consent to the use of cookies. As the DigiDay article points out, the new regulation could empower browsers to play more of a gatekeeper role, which is one of several possible outcomes.
SIIA has been active in highlighting the problems for European policymakers. On July 1, 2016, we filed comments arguing that the proposal should not be extended to software and digital content publishers and over-the-top-content providers, who would continue to be regulated under the more flexible rules of th ...

Human Rights Watch (HRW) and Amnesty International (AI) issued a press release today on a letter and brief the two organizations sent to European Justice and Home Affairs Commissioner Vera Jourova arguing for invalidation of the EU-U.S. Privacy Shield. The letter and brief can be found here.
On substance of the criticism, these groups continue to sell the U.S. surveillance framework short, failing to recognize extensive transparency and safeguards that underlie the U.S. framework. That aside, invalidation on these terms is not appropriate because the European Commission’s reasoned and detailed adequacy decision was based on information about U.S. surveillance practices and laws that the Commission had when the decision was released on July 12, 2016. After reviewing the commitments self-certifying organizations would make under the privacy shield and the enforcement mechanisms available under U.S. law, the Commission said, “the United States ensures an a ...

Does the EU’s right to be forgotten extend to the whole world? The French data protection authority, CNIL, says yes and wants search engines to delist search results which contain information that violates the European Union’s right to be forgotten – not just for French users, not just for European users, but for all users everywhere. Google is prepared to remove offending search results for European users, but balks at removing material globally just because European courts find that it violates European privacy rules.

Today, the EU and Japan announced political agreement in principle on an Economic Partnership Agreement. Overall, this should be a positive development for EU and Japanese workers, consumers, and businesses. But, it does fall short in one crucial regard. There is no binding data flow obligation yet. SIIA put out a statement on this gap today. Instead of a binding data flow commitment now, the two sides agreed to conclude an accord on data flows in early 2018.

In a March 30, 2017 opinion piece, “Don’t trade away data protection,” two leading Members of the European Parliament, Viviane Reding and Jan-Phillip Albrecht, suggest “strengthening data protection safeguards in the General Exception (known as GATS XIV) and E-Commerce chapters, and removing necessity and consistency tests.” The idea behind the proposal is to make absolutely certain that the General Data Protection Regulation (GDPR) and perhaps other parts of the EU privacy acquis could not be successfully challenged as inconsistent with an affirmative cross-border data flow obligation. This is a topic SIIA will comment on again in the coming months, likely in a longer form Issue Brief. This blog discusses the proposal to remove the necessity test.

The Elliott School of International Affairs hosted a very interesting conversation today on “New Avenues to Govern Cross-Border Information Flows.” SIIA co-sponsored the event together the Internet Society of Greater Washington, D.C. The Institute for International Economic Policy (IIEP) presented the event. Research Professor and Cross-Disciplinary Fellow Susan Aaronson moderated.
I provided an industry perspective, and my talk is available here. My written remarks focus on what we hope to achieve with respect to cross-border data flows in the Trade in Services Agreement (TISA), the WTO’s E-commerce Work Committee, the G20, G7, and the OECD. However, as fellow panelist USTR Director for Digital Trade Sam DuPont concentrated on these fora, I emphasized in my spoken remarks four aspects of the cross-border data flow discussion. First, key industry “asks” such as obligations to permit data flows, avoidance of serv ...

Readers of this blog will know that the SIIA and Thomson Reuters-supported Atlantic Council study: Into the Clouds: European SMEs and the Digital Age” was released on October 10 at Aspen Berlin/Germany on October 10. We followed up in Brussels on October 12 with a lively DIGITALEUROPE workshop and a well-attended Transatlantic Policy Network dinner. In addition, I met with German and European Commission officials this week. A few takeaways from these events and meetings follow.
Cloud adoption rates are variable in Europe and surprisingly low in Germany. Low adoption in Germany derives in part from continuing surveillance concerns but is perhaps equally caused by a preference for in-house solutions, even by SMEs. Localization of data in-country remains a preference of many German companies and cloud providers increasingly provide that option to their customers who are evidently willing to pay a premium for that service.
The Commissi ...

Just as everyone was headed out of Washington for the Memorial Day weekend, CNBC did a report on Google’s Two Years of Forgetting Europeans. It was a useful summary of the material Google publishes in its transparency report on European privacy requests for search removals. It noted such interesting facts as that Google has removed 43% of the URLs they have reviewed and processed and that Facebook was the most frequently removed URL.
But the report strangely missed a major legal development that threatens a stable international understanding about the limits of domestic law in age of global communications networks.
This stable understanding is that national governments have control over the Internet within their own borders. They have right and the obligation to make the rules of the road for Internet conduct occurring within their own borders. But they don’t have the right to extend their local laws to Internet conduct within the jurisdiction of other cou ...